summaryrefslogtreecommitdiff
path: root/Documentation/ABI/testing/ima_policy
diff options
context:
space:
mode:
Diffstat (limited to 'Documentation/ABI/testing/ima_policy')
-rw-r--r--Documentation/ABI/testing/ima_policy30
1 files changed, 18 insertions, 12 deletions
diff --git a/Documentation/ABI/testing/ima_policy b/Documentation/ABI/testing/ima_policy
index cd572912c593..e35263f97fc1 100644
--- a/Documentation/ABI/testing/ima_policy
+++ b/Documentation/ABI/testing/ima_policy
@@ -15,19 +15,22 @@ Description:
IMA appraisal, if configured, uses these file measurements
for local measurement appraisal.
- rule format: action [condition ...]
+ ::
- action: measure | dont_measure | appraise | dont_appraise |
- audit | hash | dont_hash
- condition:= base | lsm [option]
+ rule format: action [condition ...]
+
+ action: measure | dont_measure | appraise | dont_appraise |
+ audit | hash | dont_hash
+ condition:= base | lsm [option]
base: [[func=] [mask=] [fsmagic=] [fsuuid=] [uid=]
[euid=] [fowner=] [fsname=]]
lsm: [[subj_user=] [subj_role=] [subj_type=]
[obj_user=] [obj_role=] [obj_type=]]
option: [[appraise_type=]] [template=] [permit_directio]
[appraise_flag=] [keyrings=]
- base: func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK][MODULE_CHECK]
- [FIRMWARE_CHECK]
+ base:
+ func:= [BPRM_CHECK][MMAP_CHECK][CREDS_CHECK][FILE_CHECK]MODULE_CHECK]
+ [FIRMWARE_CHECK]
[KEXEC_KERNEL_CHECK] [KEXEC_INITRAMFS_CHECK]
[KEXEC_CMDLINE] [KEY_CHECK]
mask:= [[^]MAY_READ] [[^]MAY_WRITE] [[^]MAY_APPEND]
@@ -37,8 +40,9 @@ Description:
uid:= decimal value
euid:= decimal value
fowner:= decimal value
- lsm: are LSM specific
- option: appraise_type:= [imasig] [imasig|modsig]
+ lsm: are LSM specific
+ option:
+ appraise_type:= [imasig] [imasig|modsig]
appraise_flag:= [check_blacklist]
Currently, blacklist check is only for files signed with appended
signature.
@@ -49,7 +53,7 @@ Description:
(eg, ima-ng). Only valid when action is "measure".
pcr:= decimal value
- default policy:
+ default policy:
# PROC_SUPER_MAGIC
dont_measure fsmagic=0x9fa0
dont_appraise fsmagic=0x9fa0
@@ -97,7 +101,8 @@ Description:
Examples of LSM specific definitions:
- SELinux:
+ SELinux::
+
dont_measure obj_type=var_log_t
dont_appraise obj_type=var_log_t
dont_measure obj_type=auditd_log_t
@@ -105,10 +110,11 @@ Description:
measure subj_user=system_u func=FILE_CHECK mask=MAY_READ
measure subj_role=system_r func=FILE_CHECK mask=MAY_READ
- Smack:
+ Smack::
+
measure subj_user=_ func=FILE_CHECK mask=MAY_READ
- Example of measure rules using alternate PCRs:
+ Example of measure rules using alternate PCRs::
measure func=KEXEC_KERNEL_CHECK pcr=4
measure func=KEXEC_INITRAMFS_CHECK pcr=5